TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Vulnerabilities, Exploits, and Malware Driving Attack Campaigns in August 2019

2019-09-24 · Read original ↗

ATT&CK techniques detected

10 predictions
T1190Exploit Public-Facing Application
98%
“we saw in august 2019. the five new attack campaigns we detected all targeted vulnerabilities classified as “ unsafe input injection. ” - two campaigns targeted thinkphp servers that are vulnerable to a remote code execution ( rce ) vulnerability ( cve - 2018 - 20062 ). the secon…”
T1588.006Vulnerabilities
84%
“vulnerabilities, exploits, and malware driving attack campaigns in august 2019 security researchers at f5 networks constantly monitor web traffic at various locations all over the world. this allows us to detect “ in the wild ” malware, and to get an insight into the current thre…”
T1190Exploit Public-Facing Application
81%
“translated from chinese ) : “ because the framework does not detect the controller name enough, it may lead to possible ‘ getshell ’ vulnerabilities without the forced routing enabled. ” two days after this patch was released, a working proof of concept ( poc ) was posted on expl…”
T1190Exploit Public-Facing Application
75%
“a " date " shell command. - oracle weblogic async deserialization rce ( max age ). this campaign aims to identify and exploit oracle weblogic servers vulnerable to oracle weblogic async deserialization remote code execution vulnerability ( cve - 2017 - 10271 ). the threat actor i…”
T1190Exploit Public-Facing Application
66%
“this vulnerability ( / content / f5 - labs - v2 / en / labs / articles / threat - intelligence / vulnerabilities - - exploits - - and - malware - driving - attack - campaigns - in - april - 2019. html ). this article, along with others about campaigns targeting various thinkphp v…”
T1190Exploit Public-Facing Application
53%
“vulnerabilities, exploits, and malware driving attack campaigns in august 2019 security researchers at f5 networks constantly monitor web traffic at various locations all over the world. this allows us to detect “ in the wild ” malware, and to get an insight into the current thre…”
T1059.004Unix Shell
51%
“finite, and it doesn ' t make sense for threat actors to expend those resources on campaigns that are not profitable. f5 researchers have noticed a trend recently with different threat and malware campaigns seemingly culling their victim lists and taking a more targeted approach …”
T1588.006Vulnerabilities
43%
“this vulnerability ( / content / f5 - labs - v2 / en / labs / articles / threat - intelligence / vulnerabilities - - exploits - - and - malware - driving - attack - campaigns - in - april - 2019. html ). this article, along with others about campaigns targeting various thinkphp v…”
T1190Exploit Public-Facing Application
35%
“of vulnerability present in applications. 2 these flaws can allow a resourceful attacker to execute malicious commands and queries. threat actors used their resources wisely this month, focusing on target reconnaissance. instead of sending the main payload in the first request, t…”
T1505.003Web Shell
32%
“a " date " shell command. - oracle weblogic async deserialization rce ( max age ). this campaign aims to identify and exploit oracle weblogic servers vulnerable to oracle weblogic async deserialization remote code execution vulnerability ( cve - 2017 - 10271 ). the threat actor i…”

Summary

August 2019 was slowest month on record F5 researchers have seen in new threat activity. But while active exploitation slowed, new reconnaissance campaigns grew.